How to solve Autopsy (snap) issue: "local drives were not detected. Auto-detection not supported in this OS or admin privileges required"?

After a quick search, from the documentation, section Adding a Local Disk Autopsy User Documentation: Data Sources :

Autopsy can analyze a local disk without needing to first make an image copy of it. This is most useful when analyzing a USB-attached device through a write blocker.

Note that if you are analyzing a local disk that is being updated, then Autopsy will not see files that are added after you add it as a data source.

You will need to be running Autopsy as an Administrator to view all devices.

1 Like

Exactly. Since snap are well known troublemakers packages and Autopsy isn’t available through regular repositories or flathub, I didn’t find a specific non invading method for openSUSE in order to get Autopsy root only and not the entire system session. Also, when I run this program from the icon, it doesn’t show up the useful root password like, for example, Core Control does at my startup. When I try to run Autopsy from Terminal (Super User) it shows that messages:

update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/boot /boot none bind,ro 0 0): permission denied
mkdir: cannot create directory ‘/run/user/0’: Permission denied
Starting Autopsy…
/snap/autopsy/3/autopsy/bin/…/platform/lib/nbexec: line 41: cd: /home/carlo: Permission denied
/snap/autopsy/3/autopsy/bin/…/platform/lib/nbexec: line 41: cd: /home/carlo: Permission denied
/snap/autopsy/3/autopsy/bin/…/platform/lib/nbexec: WARNING: environment variable DISPLAY is not set
WARNING: Unknown module: javafx.base specified to --add-exports
WARNING: Unknown module: javafx.controls specified to --add-exports
WARNING: Unknown module: javafx.controls specified to --add-opens
Temp Folder for Libraries: /root/snap/autopsy/common/tmp
SleuthkitJNI: loaded libtsk_jni
WARNING: A terminally deprecated method in java.lang.System has been called
WARNING: System::setSecurityManager has been called by org.netbeans.TopSecurityManager (file:/snap/autopsy/3/autopsy/platform/lib/boot.jar)
WARNING: Please consider reporting this to the maintainers of org.netbeans.TopSecurityManager
WARNING: System::setSecurityManager will be removed in a future release

I see so your issue is more related to snap than Autopsy itself…

I don’t use snap myself but reading the documentation of it I think you could try to add the permission to view the list of disks to Autopsy

There is a system-files interface for example, but on the documentation page for it it state :

  • paths in /dev, such as /dev/sda1 Access to /dev device nodes requires both AppArmor policy and device control group inclusion, but the system-files interface does not have enough information to generate the necessary policy to enable these use cases. As such, purpose-specific interfaces should be used instead, such as block-devices or raw-volume.

So maybe you will need block-devices or raw-volume interface, it could be it … worth a try…

1 Like

@Citizen839X run/install from the zip file?

Do you mean from github version?

@Citizen839X yes, it has an installer script…

1 Like

I have no idea where to start with git. How to easily install from git? Can I use GitHub Desktop (flatpak) to install Autopsy Git version?

@Citizen839X The Tags tab → download link → scroll down to Assets;
https://github.com/sleuthkit/autopsy/releases/tag/autopsy-4.21.0

Grab the zip file…

Ok, after downloaded the zip file I’ve extracted the content…what now?

@Citizen839X

cd autopsy-4.21.0
autopsy-4.21.0> sh unix_setup.sh

Ok, according to Dolphin File Manager, once unzipped the content, I’ve opened the folder and then gave the “open terminal here” command (shift+F4) … then :

~/Downloads/autopsy-4.21.0 ~/Downloads/autopsy-4.21.0
Checking for PhotoRec…Checking for Java…found in /usr/lib64/jvm/jre-openjdk
Checking for Sleuth Kit Java bindings…ERROR: sleuthkit-4.12.1.jar not found in /usr/share/java/, /usr/local/share/java/, or the environment variable: ‘TSK_JAVA_LIB_PATH’: “”.
Please install the Sleuth Kit Java bindings file.
See Releases · sleuthkit/sleuthkit · GitHub.
carlo@localhost:~/Downloads/autopsy-4.21.0>

It seems I need a Sleuth Kit, so I found here - Releases · sleuthkit/sleuthkit · GitHub - and followed the same procedure, but another issue came …

~/Downloads/sleuthkit-sleuthkit-4.12.1> sh travis_install_libs.sh

Damn! :frowning:

Last update: I’m totally hanged, Sleuth Kit Java bindings are required, and it seems they are available in .deb package only.

If you still want to try to make autopsy snap version work there are documentation for it including a chapter for your issue with accessing local disks.

From autopsy/snap/README.md at develop · sleuthkit/autopsy · GitHub

Installing Snap

An Autopsy snap package file can be installed by running sudo snap install --dangerous autopsy.snap. The --dangerous needs to be specified because the snap package isn’t signed (see install modes for more information). By default, snap doesn’t allow certain interactions with the operating system. These Super-privileged connections may need to be connected. This can be done manually by running snap connections autopsy to determine any missing connections, and then running snap connect autopsy:home replacing home with the name of the plug. Another option is to run this script, which will connect all missing plugs: snap connections autopsy | sed -nE 's/^[^ ]* *([^ ]*) *- *- *$/\1/p' | xargs -I{} sudo snap connect {}. One other possible option may be to install the application with --devmode instead of --dangerous. The --devmode flag is more permissive and will allow all connections to the operating system. More information on interface management can be found at the snapcraft website.

And …

There are no local disks for processing

Autopsy looks at the block devices in the /dev directory for local disks to process. If autopsy can’t read block devices in that directory, it won’t show the local disk. In most instances, starting autopsy with a command like sudo -g disk autopsy should give autopsy the right permissions to view local disks. This assumes that the disk group has read rights to local disks (i.e. /dev/sda1). Appropriate permissions can be determined by running something like ls -l /dev looking for the permissions required for the local disks. Then autopsy should be started in such a way that the $USER and $HOME are preserved (i.e. running as root may be problematic), but the user account and, consequently, autopsy, has sufficient permissions to access local disk block devices.

Also it seams that there is a sleuthkit package available in the official repo, if that can help…

1 Like

This software is very problematic. I followed the snap installation with --devmode, checked the apparmor setting after a reboot (created a profile automatically) and then…it freezes at loading screen (wrap).

I was just looking for a damn software that is able to give me a report exported in Excel after the scanning & recover of previously formatted sectors. To be honest, if this is so much pain, better stick to a simple one like QPhotoRec that does the basic job and is able to recover lost data just fine.

Thanks anyway.